Denial of Service Database


---------- Forwarded message ----------
From: "Who Wants To Live Forever ..." (mruiz@ING.UMAYOR.CL)
To: BUGTRAQ@netspace.org
Date: Thu, 29 Oct 1998 17:11:52 -0300
Subject: WatchGuard Firewall internal D.O.S

When we was testing a FireBox II (WatchGuard.. the red one box)
from internet it filtered any attack, but when we probe it from internal
network (masquerade), it doesn't filter udp attack, actually with "pepsi"
flood spoofed as localhost at dns port, it goes down, and stay disarmed.
We dont know if machines at the "optional" interface stay completly
vulnerable .. but it could be, we inform at WatchGuard.com .. but they
doesnt answer.

Matias Ruiz
Patricio Laf.
www.miticos.cl


---------- Forwarded message ----------
From: WatchGuard Rapid Response (RapidResponse@WATCHGUARD.COM)
To: BUGTRAQ@netspace.org
Date: Wed, 4 Nov 1998 13:14:28 -0800
Subject: Regarding the reported DOS against the internal interface of a Watchguard Firebox II

Last Friday ( Oct 30,  1998 ) a message was posted to Bugtraq describing
a Denial of Service Attack against the WatchGuard FireBox II. The
poster, Sr. Matias Ruiz, described how he had caused a FireBox II to
crash during a "Pepsi" attack launched against the trusted interface
from the trusted network.  When the WatchGuard Rapid Response Team saw
the post,  we began trying to contact Sr. Ruiz and to duplicate the
exploit.
To date,  we have been unsucessful contacting Sr. Ruiz.  We have
completed our testing of the Firebox II and have been unsuccessful in
duplicating the results that Sr. Ruiz has described in his post.  We
believe that the Firebox II running the currently shipping version of
the software is not vulnerable to the attack as it was described.

To more fully understand the ramifications of this class of attack
against the WatchGuard Security System  we extended the parameters of
our testing to include simultaneous Pepsi, New-Pep and Ping-flooding
from multiple sources on both a 100 MB Ethernet segment and a 10 MB
Ethernet segment.  These attacks were run against the trusted interface
from the trusted network on both the Firebox II, and the Firebox 100.
Our results are as follows:

1) The FB II running the currently shipping version of the software,
(Version 3.1) operated normally during the test on both the 10 and 100
MB segments

2) The FB 100 running the currently shipping version of the software,
(Version 3.0 Rev.A)  operated normally during the test on the 10 MB
segment

3) The FB 100 running the currently shipping version of the software,
(Version 3.0 Rev.A) did suffer a gradual degradation of performance on a
100MB segment leading to a reboot after 30 Min. of continuous flooding.
At no time was the test platform "disarmed".

As a practical matter, the behavior observed in test case 3 (above)  is
a highly anomalous and easily traceable traffic pattern,  the impact of
which can be mitigated by a few simple configuration changes.  Contact
WatchGuard Technical Support if you have any questions.

In the absence of any further information from Sr. Ruiz, we believe that
his report of a vulnerability in the FireBox II is in error.


WatchGuard Rapid Response Team